Symmetries and security of a quantum-public-key encryption based on single-qubit rotations 
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Exploring the symmetries underlying a previously proposed encryption scheme which relies on single-qubit 
rotations, we derive an improved upper bound on the maximum information that an eavesdropper might extract 
from all the available copies of the public key. Subsequently, the robustness of the scheme is investigated in the 
context of attacks that address each public-key qubit independently. The attacks under consideration make use 
of projective measurements on single qubits and their efficiency is compared to attacks that address many qubits 
collectively and require complicated quantum operations. 
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I. INTRODUCTION 



Quantum-public -key cryptography, where the public keys 
are quantum-mechanical systems, is a largely unexplored area 
of problems. Various cryptographic primitives can be defined 
in this context (e.g., digital signatures, identification schemes, 
encryption schemes, etc) which aim at different goals (e.g., 
integrity, confidentiality, etc) ifH-fToll. Of particular interest 
are quantum-public-key encryption (QPKE) schemes ll6l- {l0ll 
which facilitate the communication between many users over 
insecure channels. Typically, a legitimate user participating 
in such a QPKE scheme has to choose a random secret (pri- 
vate) key, and prepare the public key in a state that is in ac- 
cordance with the private key. Many copies of the public- 
key state can be created in this manner and become available 
to any potential sender in an authenticated manner, e.g. via 
a key-distribution center, whereas the corresponding private 
key is never revealed and is used by the receiver for decryp- 
tion only. In a nutshell, QPKE combines the provable security 
of quantum-key distribution (QKD) protocols ifTHl with the 
flexibility of conventional public-key encryption schemes, fa- 
cilitating thus the key distribution and the key management in 
large networks |[lo[Tl2ll . Key distribution and key manage- 
ment are crucial issues associated with the security and the 
efficient operation of large networks, and cannot be solved 
efficiently in the context of QKD (followed by a classical 
symmetric cryptosystem) or quan tum direct communication 
(QDC) protocols such as lUSUIsll . The main reason is that, 
by construction, the protocols of QKD and QDC are point-to- 
point protocols, and thus the total number of secure links and 
keys scales quadratically with the number of users in the net- 
work. This power law can be improved if the communications 
are performed via a key distribution center (KDC) which pos- 
sesses all the secret keys. In this case, however, the center be- 
comes an attractive target, while a compromised KDC renters 
immediately all communications insecure. In QPKE schemes 
on the other hand, the KDC deals with the public keys only, 
whereas the private keys are in posession of the legitimate 
users The study of QPKE schemes is also of funda- 

mental importance for the field of quantum cryptography be- 
cause of the quantum trapdoor one-way functions, which are 
essential ingredients not only for the development of efficient 



encryption schemes, but also for many other cryptographic 
primitives (digital signatures, fingerprinting, zero-knowledge 
protocols, etc) fl ill [H d . 

The mere fact that in QPKE schemes many copies of 
the public keys become available, allows an eavesdropper to 
launch new str ateg ies that go beyond QKD and QDC proto- 
cols (e.g., see II18I1 ). Although the actual state of the public 
key is unknown to an adversary, the multiple copies, when 
processed judiciously, may reveal more information on this 
state than a single copy. Hence, a security analysis of a par- 
ticular QPKE scheme has to address questions related to the 
lengths of the private and the public keys, as well as the num- 
ber of public -key copies that can become available before the 
entire cryptosystem is compromised. Clearly, such questions 
are intimately connected to specific aspects of QPKE, which 
are not present neither in QKD nor in QDC protocols. 

The QPKE scheme of ifioll is rather intuitive as it relies on 
single-qubit rotations. The public key consists of a number 
of qubits that are prepared at random and independently in 
some unknown state. A message can be encrypted in one 
of the public keys by rotating appropriately the correspond- 
ing qubit states and the resulting cipher-state is subsequently 
sent for decryption. Due to its simplicity, this scheme may 
serve as a theoretical framework for addressing questions per- 
taining to the power and limitations of QPKE as well as its 
robustness against various types of attacks. In this context it 
has been shown recently that any deterministic QPKE requires 
randomness in order to be secure against a forward-search at- 
tack ifisll . Furthermore, in contrast to the classical setting, a 
QPKE scheme can be used as a black box to build a new ran- 
domized bit-encryption scheme that is no longer susceptible 
to this attack. 

Here we discuss for the first time a symmetry that underlies 
the scheme of ifioll and that reduces considerably the infor- 
mation that an eavesdropper might extract from the copies of 
the public key. Subsequently, we analyze the security of the 
protocol against attacks that aim at the encrypted message and 
that rely on individual projective measurements on the qubits 
of the public key(s) and of the cipher state. It is shown that 
the performance of such attacks can be slightly worse than the 
performance of the forward-search attack [18] which requires 
complicated quantum transformations that are beyond today's 
technology. 
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We like to emphasize, that discussions on the scheme of 
ifioll with an appropriate choice of the parameters also apply 
on a specific so-called ping-pong protocol lfl4ll that pertains to 
the category of the so-called quantum direct communication 
(QDC) protocols. The different context has to be taken into 
account to achieve meaningful statements. 

This paper is organized as follows: In Sec. basic as- 
pects of the recently introduced quantum-public-key protocol 
of ifToll are summarized. The influence of symmetric eaves- 
dropping strategies on upper bounds of the probability for 
an eavesdropper to guess correctly the private key or the en- 
crypted message are investigated in Sec.|lII] Security aspects 
of the private key are discussed in Sec. 1111 Al on the basis of 
Holevo's bound. In Sec. IIIIBI an attack on encrypted mes- 
sages is studied, which pertains to individual projective mea- 
surements on the qubits involved. As a main result it is shown 
that Eve's success probability converges to the value of one 
half exponentially with the numbers of qubits in which the 
message is encrypted with a scale depending on the number of 
its publicly available copies of the public key. Furthermore, it 
turns out that the success probability of this attack differs only 
slightly from the already known optimal probability of suc- 
cessful state estimation by means of collective measurements. 
In addition, as discussed in 1111 CI the resulting lower bound of 
the security parameter of the public-key protocol is also close 
to the previously derived security parameter of the forward- 
search attack of Ref. ifisll . Finally, in Sec. IlIlDI a symmetry- 
test attack with projective measurements is explored, which 
attacks the message directly and makes use of only a single 
copy of the public-key quantum state and the corresponding 
cipherstate. 

II. THE PROTOCOL 

For the sake of completeness, let us summarize briefly the 
main ingredients of the protocol proposed in ifioll . Each user 
participating in the cryptosystem generates a key consisting of 
a private part and a public part, as determined by the following 
steps. 

1. Choice of a random positive integer n ^ 1. Additional 
limitations on n will be derived in the following section. 

2. Choice of a random integer string k of length N i.e., 
k = (fci, ^2, . . . , kpf). Each integer kj is chosen at ran- 
dom and independently from 7^2" , and thus it has a uni- 
form distribution over . 

3. The classical key k is used for the preparation of the 
A^-qubit public -key state 

N 

|*k(0„)) =(g) |^fc,(0„)) (la) 

where 

\AAOn)) ^ cos(^M!l^ |o,)+sin(^M!i^ |U, (lb) 



while { \0z), \^z)} denote the eigenstates of the Pauli 
operator (72= |02)(02| — |l2)(l2| , which form an or- 
thonormal basis in the Hilbert space of a qubit. The 
Bloch vector associated with ( [Tbb is given by Rj {On) = 
cos{kj9n)z + sin{kj9„)x with x, z denoting unit vec- 
tors and with 

0n = 7r/2"-i (Ic) 

denoting the elementary angle of rotations around the 
axis with unit vector y. 

4. The private (secret) part of the key is k, while the public 
partis {n,N, |*k(6l„))}. 

Note that, since each kj is distributed uniformly and inde- 
pendently over Z2n, the random state (^n)} is uniformly 
distributed over the set of states 

H'"^ = {|^fc,(^n))|% e {0,...,2"-l}}. (2) 

The state of the jth public -key qubit {dn)) is known if the 
corresponding Bloch vector (or equivalently the angle kjOn) 
is known. The full characterization of the angle kjOn requires 
n bits of information. 

In general, a legitimate user should never reveal his private 
key, whereas he can produce at will as many copies of the 
pub hc key as needed. The number of public-key copies T' 
II19I1 . however, should be kept sufficiently small relative to n 
(the precise relation will be discussed in Sec. IIII Ab . so that 
the map 

k^ {T' copies of |^k(e«))} (3) 

is a quantum one-way function by virtue of Holevo's theorem 
ifTol lisll . The one-way property of the map (O is essential 
for the definition of the public-key encryption in the present 
framework. 

Suppose now that Bob wants to communicate a binary 
plaintext m to Alice. The users have agreed in advance on 
two encryption operators £0 and Ei for encryption of bit "0" 
and "1", respectively. The key point here is that the bits of 
the plaintext (message) are assumed to be encrypted indepen- 
dently on public qubits that have been prepared at random and 
independently (see discussion above). Hence, for the sake of 
simplicity and without loss of generality, we can focus on the 
encryption of a one-bit message m £ {0, 1}. As discussed in 
ifiol lisll . in this case the protocol is not secure when the bit 
is encrypted on the state of a single qubit. However, it has 
been shown in the context of a forward-search attack, that the 
robustness of the protocol increases considerably if m is en- 
coded in a randomly chosen s-bit codeword w with Hamming 
weight of parity m which is subsequently encrypted on s pub- 
lic qubits 112011 . Correspondingly, the analysis of the following 
section pertains to a one-bit message, which is encrypted in 
the parity of an s-bit codeword with s playing the role of a 
security parameter. 

For the encryption of the one-bit message m G {0, 1}, Bob 
chooses at random a codeword w = [wi , ... ,Ws) of par- 
ity m, and obtains an authenticated copy JTV] of Alice's pub- 
lic key (T' — 1 public keys still remain publicly available). 
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The codeword is encrypted by applying independent succes- 
sive encryption operations on the first s public qubits. The 
resulting (quantum) ciphertext is thus the s-qubit state 

s s 
|^k,m(e„)) = (g)4, li'kASn)) = (g) \Xk„r.,{^n)), (4) 

to be referred to hereafter as cipherstate. In this spirit, for the 
encryption of an L-bit message requires a public-key of length 
iV > Ls. The cipherstate is sent to Alice who can obtain the 
message by means of a decryption procedure whose details 
are not essential for our purposes in this work. We only note 
here the crucial property that the encryption operations do not 
depend on Alice's private key, but the decryption operators do. 
Moreover, to allow for a simple decoding we assume that 

\lpkj{On)) +WjTt)), (5) 

forwj e {0,1} 111. 

The primary objective of an eavesdropper (Eve) in the con- 
text of QPKE is to recover the plaintext from the cipher state 
intended for Alice. On the other hand, there is always a more 
ambitious objective pertaining to the recovery of the private 
key from Alice's public key. A cryptosystem is considered 
to be broken with accomplishment of either of the two ob- 
jectives, but in the latter case the adversary has access to all 
of the messages sent to Alice (see also related discussion in 
lfl0l[l2ll '). It is essential therefore to ensure secrecy of the pri- 
vate key, before we discuss the secrecy of a message. In Sec. 
nil Al we derive restrictions on the parameters n and T' so 
that the map (O is a quantum one-way function, and thus the 
recovery of the private key from the public keys is prevented. 

As far as the encryption of the message (or equivalently the 
codeword) is concerned, we note that, in view of Eqs. ([Tbl i 
and (|5]l, the two possible values of the jth bit of the code- 
word Wj G {0,1} are essentially encrypted in orthogonal 
eigenstates of a basis, which is rotated relative to the basis 
{ IO2), II2)} by an unknown angle kjO^. This means that the 
cipher-qubit state is parallel {wj ~ 0) or antiparallel (wj = 1) 
to the corresponding public-qubit state. Thus, in the follow- 
ing analysis we consider two different classes of eavesdrop- 
ping strategies, which aim at the encrypted message. The first 
class involves attacks that explore the symmetry between the 
public-key state and the cipher state to reveal the message. 
The other class pertains to attacks that extract information on 
the public key (and thus on the basis on which the message has 
been encoded), so that the message can be recovered by means 
of a projective measurement on the estimated basis. Clearly, 
for this second class of attacks the probability of successful 
decryption is expected to increase with the information gain 
on the public-key state. 

III. SYMMETRIC EAVESDROPPING STRATEGIES 

In a single run of the protocol the fixed quantities are the 
secret key k (and thus the public key), as well as the code- 
word w. In general, for a given eavesdropping strategy, the 



probability of successful eavesdropping in a single run of the 
protocol P(suc|k, w) differs from the corresponding proba- 
bility obtained by averaging over all possible values of k, i.e., 

P(suc|w) ^ ^P(k)P(suc|k,w) 

k 

= ^T.P('^'\^^^)' (6) 

k 

where for the last equation we have used the fact that k is 
uniformly distributed over {0, 1}"^. The one-bit message 
m is encoded at random on one of the 2'*"^ possible s-bit 
codewords with parity m (examples are given in ifiol [Tsll ). 
Hence, the conditional probability for the codeword w to oc- 
cur, given a particular value of m e {0, 1}, is P(w|m) = 
2-(s-i) However, from the point of view of an adversary, 
both values of m G {0,1} are equally probable and thus 
P(w) = J2m f (w|m)2^^ = 2^^ i.e., the codewords have 
a uniform distribution over {0,1}*. Therefore, the eavesdrop- 
ping strategies we are going to discuss are symmetric with 
respect to all possible codewords ll23ll . and thus we also have 
P(suc) = 2--''' P(suc|w) = P(suc|w). 



A. Eve's point of view 

Our first task is to find out how much information Eve may 
extract from r available copies of the jth public qubit, and in- 
vestigate the conditions under which the security of the private 
key is guaranteed. 

From Eve's point of view, the state of the jth public qubit 
is uniformly distributed over ]Ell'"\ with the corresponding a 
priori probability being 2^". Hence, the density operator de- 
scribing the state of t copies of the jth public qubit is 




= \'f^{0r^)(^^{0n)\, (7) 

J 

where \^t\9„)) := |^fc' (6'™))®^- In the space of r-qubit 
states we have r + 1 different subspaces each of which is 
spanned by all B{t, I) = (|) eigenstates with the same Ham- 
ming weight I, i.e. the same number of qubits which are in 
the state |lz). Within one of these subspaces, say Si, we can 
define the fully symmetric state 

2=1 

where the sum runs over all the r-qubit eigenstates with the 
same Hamming weight I. The problem can be formulated en- 
tirely in terms of these (t + l)-symmetric states {\l) : I = 
0,l,...,r}i2l. 
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Using Eq. ( fTbl i. we have 

T 

with 



COS 



(=0 



sm 



Thus the density operator of Eq. (jTji reads 



J, prior 



LV=0 



(8a) 



(8b) 



(9a) 



with 



public key she may be able to decrypt an encrypted message 
successfully. This will be demonstrated in the next sections. 

In closing, we would like to emphasize that in lEH the 
symmetries underlying the particular encryption scheme have 
not been taken into account and thus a larger upper bound on 
/av was obtained suggesting that Eve can get up to r bits of 
information from r copies of the public key. However, this 
section demonstrates that the actual upper bound turns out to 
scale logarithmically with t so that secrecy of the private key 
can be guaranteed already for significantly smaller values of 
71. Intuitively, this originates from the fact that the protocol 
restricts Eve by construction on the (r + 1) -dimensional sub- 
space of symmetric states for the t copies of the jth public- 
key qubit. In appendix|A]we provide a tighter upper bound on 
Eve's information gain based on basic properties of the eigen- 
values of pj-i,,. 



In the appendix |A] we provide additional information on the 



as well as on 



form of the a priori density operator pj p^.^^^. 
some observations regarding its rank and eigenvalues. What 
we have so far, however, suffices to provide an upper bound 



on the von Neumann entropy S[p 



(r) 

j, prior - 



for any values of t 



and n. In particular, instead of saying that r copies of the jth 
public -key qubit are distributed, we can say that one copy of a 
larger (r+l)-dimensional system becomes pubUcly available. 
Hence, we have 



^bSrior] <log2(^ + l)- 



(10) 



The state described in Eq. O is a convex "classical" mix- 
ture of quantum states { {9n))} which are distributed 
with probabilities pj = 2^". Albeit pure, the states 
l^fe^^(^" )) are not mutually orthogonal. As a result the von 

(t) 

Neumann entropy for the density operator pj p^.j^^, is strictly 
smaller than the Shannon entropy of the corresponding prob- 
ability distribution H{pj) = n u7\\ . The Holevo bound re- 
stricts Eve's average information gain /av on the unknown 
state for r copies. In particular, the information gain is up- 
per bounded by Slp'^^^^^-^^^], and in view of inequality (fTOl i we 
obtain the result 



/av <l0g2(T + l). 



(11) 



On the other hand, one still needs n bits of information to 
characterize completely the state of the jth qubit (which of 
course implies knowledge on the private key as well). So, as 
long as 



n>log2(T + l), 



(12) 



the one-way property of the map (O is guaranteed ll25ll . Thus 
one can be confident that no matter what strategy Eve may 
choose, her information on each public-key qubit is very low. 
Despite the fact that Eve has almost no knowledge about the 



B. Incoherent Projective Measurements 

Eve knows that all of the qubit states lie on the x — z plane 
of the Bloch sphere. Thus, she may try to deduce the mes- 
sage by means of projective measurements on the cipherstate 
as well as on all of the remaining (T' — 1) copies of the pub- 
lic key 126]. In the following, we assume that each qubit of 
the public key or of the cipher is measured independently. In- 
deed, given that the random state of each public-key qubit is 
chosen independently and that it is distributed uniformly over 
H'^"\ it is reasonable to assume that there are no hidden pat- 
terns that Eve can take advantage of by attacking many qubits 
collectively. 

One possible strategy for Eve is to obtain an estimate of the 
public -key state ([T]i by measuring half of the public keys on 
the (eigen)basis { |0^), jlz)} of the Pauli operator ct^ and the 
other half on the (eigen)basis { |0a;), \lx)} of the Pauli opera- 
tor (Tj, = |0r)(l2| + 1 12)(02 1 . In this way she can obtain an 
estimation on the jth public-qubit state or equivalently on its 
Bloch vector Rj . It should be emphasized that such an attack 
essentially aims at the private key which, by construction, is 
in one-to-one correspondence with the public key. Although, 
condition (fTST i restricts Eve's information gain on the private 
key to negligible values, it cannot guarantee secrecy of the en- 
crypted message. Hence, in an attempt to reveal the message 
she can measure the cipherstate on a basis defined by her guess 
on the corresponding public-qubit state. The main purpose of 
this section is to analyze this attack. 

Since all public-key qubits are equivalent and independent, 
let us start by focusing on one of them, i.e., the jth qubit which 
is measured in the basis b G {z,x} with b = z{x) referring 
to the eigenbasis of the operator i7^(i7x). The two possible 
outcomes of these measurements are "0" and "1" and they 
occur with probabilities 



cos 



kjOr, 



v^'^ - 1 - v^'^ 



(13) 



In this equation, /? G {0, 1} with the correspondences b = 
z — > /3 = and b = x ^ (3 = 1. Without loss of gen- 
erality let us also assume that T' - 1 = 2T IH], so that T 
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measurements are performed on the basis b. Let Tg''^ denote 
the number of outcomes "0" from measurements in the b ba- 
sis. In a single run of the protocol Eve obtains a particular set 



T^'^'} out of different possible combi- 



of outcomes {T^^^ , j. q 
nations. We will first discuss how much information she can 
obtain about the public-qubit state (or equivalently the private 
key). 



1. Information gain on the public-qubit state 

The a posteriori probability for the j-th qubit state is given 
by Bayes law 



{Z) rj,(x)^ 



(14a) 



The probability for the outcome {To^\ Tq^''} to occur given 
the input state jV^j,/ (6'„)) is 



xnKo(fc;-) 



X 



T-T,\ 



(14b) 



and 
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FIG. 2. (Color online) Entropy of a priori probability distribution 
(=entropy of private key), Holevo bound and information gain as 
functions of the number of public-key copies 2T that become avail- 
able. The value of n affects considerably the a priori probability dis- 
tribution. The inset shows the difference between the Holevo bound 
and the information gain. 



Holevo bound of Eq. ( IA2I ) for r — 2T, which is tighter than 
the bound of Eq. ( fTOl i. It is worth mentioning that although 
the information gain depends weakly on n the Holevo bound 
does not. In the subsequent discussion the choices of n and T 
are such that the inequality iA2i and thus also inequality ( fTOl ) 
are satisfied for r = 2T. 



2. Probability of correct guessing the message 



A sample of a posteriori probability distributions is depicted 
in Fig. [I] for T = 8, T = 9, and various events {tI^'\tI^'''>}. 
Different public-qubit states may give rise to a certain combi- 
nation {Tq^\Tq^^} albeit with different probabilities. Hence, 
given a particular combination of "0" outcomes in the two 
bases, the conditional a posteriori probability distribution ex- 
hibits peaks for public-qubit states (as determined by kjdn), 
which are consistent with the particular event under consider- 
ation. 

Eve's information gain is given by the difference of the 
Shannon entropies of the distributions before and after the 
measurements, i.e.. 



'0 



'0 



E P,(fc;|r(^\T(-Vog[ft(fc;|r(^\T(-')] (15) 



As we have seen in the previous subsection, a particular 

outcome {T^^\t^''^} of a single run of the protocol allows 
Eve to update her knowledge on the public-qubit state she may 
have been given. From her point of view the a posteriori state 
pertaining to r public -key copies is given by 



x|cI>i:)(0„))($L'^(^n)|- (16) 

J J 

Tracing out r — 1 copies, we obtain for the single-copy 
density operator the expression 



r J, post 



j2pm\Tt\Tn Hk'^{o^)){^k'^{o„)\ (17) 



and the corresponding (estimated) Bloch vector 

R, = E?'(^^l^o'\ro("^)[cos(fc;-^?„)z + sin(fc;-e„)i](18) 



where we have summed over all possible outcomes for a given 
state. The entropy of the a priori uniform probability distri- 
bution is equal to the entropy of the private-key bit kj. As 
depicted in Fig. |2l this information gain is slightly below the 



with IIRjII ^ 1. 

Recall now that the one-bit message m is encoded in the 
parity of an s-bit codeword w which is subsequently en- 




crypted on s public qubits. Let us calculate first Eve's prob- 
ability to recover the bit Wj in a single run of the pro- 
tocol by measuring the corresponding cipher qubit in the 
basis defined by Rj. For the particular encryption under 
consideration (see Sec. II) her probability of success is 
P{mc\wj,kj,Tl^'\Tl^'''') = cos2(17j/2) with ^ denoting 
the angle between the actual Bloch vector Rj and its estima- 
tion Rj. Hence, we obtain 

p(sucK,fc,,T(^\r(^') = i + |i^ 

^ 2||R,|| ^, 

with Hj defined in Sec. For a given public-qubit state var- 
ious outcomes may occur albeit with different probabilities 

Xq{T^'\4''^\kj). (20) 

The typical behavior of P{s\ic\wj, kj) with kj (or equiva- 
lently kjdn) is depicted in Fig. |3]where we have an oscillation 
around the mean value 

P{&nc\wj) = ^Y1 ^(suc|wj, fcj). (21) 

As we increase the number of public-key copies the ampli- 
tude of the oscillations becomes smaller and the mean value 
increases. In particular, we find that for T > 1 

P(suc|«;,) < 1 - ^ U{T). (22) 

As depicted in Fig. 21 this performance is very close to the 
optimal probability of successful state estimation by means of 



collective measurements iIztIi 

which scales like 

Popt(suc|«;,)^l-^. (24) 

Bagan et al. ll28ll have demonstrated that this upper bound 
can be saturated by means of individual measurements and 
our attack has similarities to their approach. Finally, for 
our subsequent discussion it is worth keeping in mind that 
P(suc|u'j ) does not depend on the actual value of the bit Wj 
i.e., P{s\ic\wj = 0) = P(suc|ii;j = 1). 

Up to now our results are referring to one bit of the code- 
word only and our task is to obtain the probability of success 
in guessing correctly the bit-message m from the s-bit code- 
word w. Since the message is encoded on the parity of the 
codeword. Eve succeeds even if she fails to predict correctly 
a out of s bits with a even. Instead of considering her prob- 
ability of success in a single run of the protocol, which is a 
rather complicated task, we concentrate in the following on 
her probability of success averaged over all possible public- 
qubit states (or equivalently private keys k). As depicted in 
Fig. |3] for large T the ampUtude of the oscillations is at least 
an order of magnitude smaller than the mean. Hence, any con- 
clusions based on the average probability of success are also 
expected to apply with good accuracy to a single run of the 
protocol. Since each bit of the codeword is encrypted sepa- 
rately in independently prepared public qubits, the averaging 
over all possible values k is straightforward. Thus, one ob- 
tains for the average probability of successful eavesdropping 
for a given message m and codeword w 

P,(suc|to, w) = ^ (''^\ [1 - P(suc|wj)]" X 

even 

x[P{suc\wj)Y-°'. (25a) 
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FIG. 5. (Color online) Average probability of success Pa (success) 
as a function of codeword length s, for n = 10 and various values 
of T. The solid lines are numerical results obtained from Eqs. l l25t , 
whereas the dashed lines are for the upper bound defined in Eq. ( I26t . 



but in contrast to the attacks discussed here it requires rather 
complicated quantum operations and gates, such as Fourier 
transformations and permutations on large numbers of qubits. 
Due to the nature of the attack the probability for successful 
eavesdropping does not vary from run to run and the probabil- 
ity for an eavesdropper to deduce the parity of the s-bit code- 
word and hence the message from the cipherstate is given by 
M 

/^.(suc) = i + i(l-^)\ (29) 

It is rather surprising how close this exact expression is to the 
upper bound ( |26] l, which is slightly below the optimal proba- 
bility of success. For a given security threshold e the length 
of the codeword has to satisfy 

s>T|l + log2(e)|. (30) 

which differs from Eq. (|28] | by a factor of three only. 



Averaging over all possible equally probable codewords and 
messages we finally find 



Ps (sue) = Ps(suc|m,w). 



(25b) 



In Fig. |5] Ps (sue) is depicted as a function of the codeword 
length s for various numbers of public -key copies (solid lines). 
Clearly, the average probability of success decreases with in- 
creasing s whereas this drop becomes slower and slower as we 
increase the number of public-key copies. For T > 1 a rather 
tight upper bound for Pg (sue) is given by the expression 



11/ 1 

- + - 1 

2 2V 3T 



(26) 



which is also plotted in Fig. |5]with dashed lines. A sketch of 
the proof of this upper bound is provided in Appendix iB] 

Now, let us assume that the users participating in the pro- 
tocol have agreed in advance on a security parameter e <C 1 
so that Eve's probability of success Ps(suc) has to fulfill the 
relation Pg (sue) < 1/2 + e. This implies that the message bit 
m has to be encrypted in 



s > 



l+log2(£) 



log. 



(27) 



(28) 



qubits which is always fulfilled if 

5>3T|l + log2(e)|. 

C. Comparison to the forward-search attack 



The robustness of the present public -key encryption scheme 
against a forward-search attack based on a symmetry test in 
which Eve compares the ci phe r state with the public-key state 
is discussed in Ref. ifiol Il8ll . The symmetry test of Ref. 
ifiol [Tsll takes into account all the copies of the public keys 



D. A symmetry-test attack with projective measurements 

In contrast to the previous attack we will consider here an 
attack which aims directly at the message rather than the pri- 
vate key and makes use of one copy of the public-key state and 
the cipherstate only. Eve pairs up the corresponding qubits 
of the public key and the cipher state i.e., the jth pair per- 
tains to the jth qubits. The qubits of the jth pair are pro- 
jected independently onto the same randomly chosen eigen- 
basis { |0;^^)}, |ltpj)} where 

IC^^) = (-l)Ccos(^) |0.)+sin(^) |1.) (31) 

and ipj is uniformly distributed over [0, 2tt). The probability 
of correct guessing either of the qubits is given by 



2 2 
~ COS 



.(32) 



However, since for a fixed value of kj the angle ipj is cho- 
sen at random, we can introduce a new random variable 
„ = kjdn — 'Pj uniformly distributed over the interval 
[0, 27r). For later convenience let us also denote the number 
of wrong outcomes for the jth pair by ej with < Cj < 2. 
As discussed in the last paragraph of Sec. HIl the question that 
Eve has to answer is whether the states of the qubits in the 
jth pair are parallel or antiparallel. She obtains the correct an- 
swer if the outcomes of the measurements on the correspond- 
ing two qubits are either both correct {ej = 0) or both wrong 
(cj = 2). Thus, the probability of success in a single run of 
this protocol is given by 



P{mc\wj,kj) = [F(w,,„)]2 + [1 - F{uj,^n) 



(33) 



If the one-bit message is encoded in the parity of an s-bit 
codeword which is subsequently encrypted on s qubits. Eve's 
strategy succeeds provided the total number of incorrect out- 
comes e = J2'i=i is an even integer (e.g., see Table Ufor 
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public key 


t,t 


t,f 


t,t 


t,f 


f,t 


f,f 


f,t 


f,f 


cipher state 


t,t 


t,f 


f,f 


f,t 


t,f 


t,t 


f,t 


f,f 


61,62 


0,0 


0,2 


1,1 


1,1 


1,1 


1,1 


2,0 


2,2 


6 





2 


2 


2 


2 


2 


2 


4 



TABLE I. Encryption of a single bit, on the state of two qubits (s = 
2). Possible combinations of true (t) and false (f) outcomes that lead 
to correct estimation of the message. 



into account all the public-key copies and is based on projec- 
tive measurements on single qubits. As a main result it has 
been shown that the performance of this attack is comparable 
to the performance of optimal collective measurements ll27ll 
as well as to the forward-search attack of I1I81I which involves 
rather complicated quantum operations. Variants of the attack 
are expected to be applicable to other types of QPKE schemes 
as well. 



s = 2). The total probability of success in a single run can 
be obtained by means of an iteration of the form iB3i . where 
Q^'^'i is a multivariable function, i.e., Q('''(cji_„, . . .ujg.n) = 
Ps(suc|k, w)). Hence, Eve's probability of success in getting 
the correct parity and thus the correct message consists of two 
parts pertaining to possible combinations of outcomes from a 
single pair and the remaining s — 1 pairs. More precisely, the 
first term refers to the case where the overall result on s — 1 
pairs as well as the result on the single pair are correct whereas 
for the second term Eve has failed in both cases. 

Given that the probability Ps(suc|k, w) is a function of s 
uncoiTelated random variables „, its analysis for s > 2 
is rather cumbersome. Nevertheless, it is straightforward to 
obtain an analytic expression for the average probability of 
success Ps(suc) by averaging overall possible keys and code- 
words which is equivalent to averaging over all possible com- 
binations of {ojsj}- Along the lines of Appendix IB] it can be 
proven that 

Psisuc)^l + ^. (34) 

Again, the average probability of success drops exponentially 
with increasing values of s. In contrast to Eqs. ( |26] | and ( |29] l, 
this expression does not depend on T since the attack under 
consideration uses only one copy of the public key. It is, 
however, equivalent to the corresponding expression for the 
forward-search attack, i.e. Eq. ( [29] l for T — 1. Hence, for a 
given security threshold e the length of the codeword has to 
satisfy inequality ( |30] l for T = 1. 



IV. CONCLUSIONS 

We have analyzed the security of a quantum-public-key 
encryption (QPKE) scheme that relies on single-qubit rota- 
tions. For a given number of public keys the symmetry un- 
derlying the protocol has been shown to restrict consider- 
ably the information gain that an eavesdropper might gain 
on the private key. This result suggests that new more effi- 
cient QPKE schemes could rely on quantum one-way func- 
tions, which explore symmetries in the involved quantum 
states. It is also worth recalling here the pivotal role of sym- 
metries in quantum-key-distribution protocols, as a result of 
which qudit-based protocols can tolerate higher error rates 
than qubit-based ones ifsoll . 

The robustness of the protocol under consideration was 
mainly analyzed in the framework of an attack which takes 
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Appendix A: Properties of the density operator @. 

As for the matrix elements of the density operator of Eq. 
©J we can distinguish two different cases: 
Case 1: If I + I' is an even number, the function 
fT,i{kjOn)f* ii{kj9n) has even parity and does not change 
sign as we sum over all possible values of kj G . Hence, 
we expect a non-zero contribution of Ci j' in this case. 

Case 2: If /+/' is an odd number, the element Ciji vanishes 
since the parity of the overall trigonometric function in the 
sum is odd. 

Another important property of the density operator (|9]l is 
that for fixed value of r there seems to exist a critical value of 
71, let us say Uc, for which it is n-independent for all n > Uc- 
Furthermore, we have studied the rank of the density operator 
as well as the form of its eigenvalues for various values of n 
and T. Our simulations show that for fixed r, rank[pj^''j.jQj.] < 
r + 1 for all n < ric and thus the density operator is singular, 
whereas for n > ric, rank[pj^''j.jQj.] = r + 1. 

The von Neumann entropy of a quantum state is bounded 
from above by log2(£') with D denoting the dimension of 
the support of the relevant density operator. In view of the 

(t) (r) 

hermiticity of ^^.-^^^ we have D = mnk[pj p^.^^J and thus 
for a given pair of (r, n) the entropy of the density operator is 
bounded from above by the corresponding entropy for (t, ric). 
Hence, we arrive again at the upper bound for the entropy 
provided in ( fTOl i. 

In order to obtain a tighter bound we can investigate eigen- 
values of the density operator for (r, Uc). Our simulations 
suggest that in this case the eigenvalues of (|9j are given by 

So, ^'[/oj^pj.jo,.] can be calculated as the entropy of the binomial 
distribution with mean t/2 and variance t/4. This entropy is 
bounded from above by the entropy of the the normal (Gaus- 
sian) distribution with the same mean and variance I29il . Thus, 
we obtain the result 

S[ptUr] < I log2 (r) + 1 log2 (^e/2) (A2) 
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and this bound is below the one of ( fTOl i. Accordingly, the 
information gain is upper bounded by 



4v < ^ log2(T) + i log2(7re/2). 



(A3) 



For s = 1 the equality we want to show holds, i.e. we have 



i + i (B4) 



Appendix B: Proof of the upper bound (26). 

The quantity we want to bound from above, i.e. Ps(suc), 
is a monotonously increasing function of P{suc\wj) for 
P(suc|u;j) > 1/2. Thus, in view of ( l22b we have 



Assuming that it holds for s, i.e. 



Q 



{■■<) 



1 A'* 

2 + y 



(B5) 



even 



P,(suc) = 51 ( j [1 ~ ^(suchj)]"[P(suc|i(;j)]^-" (Bl) 



even 



<T.ilV-uiT)nu{T)] 



(B2) 



Let us denote the r.h.s of inequality ( IB2l i by Q'^''' (T). It can 
be shown by induction that Q'^^ is equal to ( |26] ). To this end 
we note that Q'") can be written alternatively in the form of 
an iteration, i.e. 



we can prove also that it holds for s + 1, because 



Q 













-1) 







1 A-^+1 



(B6) 
(B7) 



1 - ( 



1(1) 



(B3) 
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